Mbed TLS is now part of TrustedFirmware.org.

Mbed TLS 2.13.0, 2.7.6 and 2.1.15 released


Mbed TLS version 2.13.0 has now been released, in addition to maintenance releases for Mbed TLS 2.1 and Mbed TLS 1.3.

Mbed TLS 2.13.0 introduces several new features improving our support for DTLS over low-bandwidth, high latency networks with high packet loss. Specifically:

  • Support for fragmentation of outgoing handshake messages, allowing the use of Mbed TLS across networks with datagram links with MTUs as low as 512 bytes, making it suitable for NB-IOT networks.
  • Grouping outgoing handshake messages in a single datagram, reducing both the network load and the likelihood of reordering effects.
  • Reordering handshake packets that have been received out of order, reducing the number of retransmissions necessary to complete a handshake, and therefore increasing handshake efficiency and reducing network load.

This release also addresses one security issue and resolves multiple defects. Mbed TLS 2.7.6 and 2.1.15 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.


  • (2.13, 2.7, 2.1) Fixed an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. A read of one byte beyond the limit of the input buffer was made, when the extensions length field was zero. Found by Nathan Crandall.


  • (2.13) Added support for fragmentation of outgoing DTLS handshake messages. This is controlled by the maximum fragment length set locally or negotiated with the peer, or alternatively by a new per-connection MTU (Maximum Transmission Unit) option, set using mbedtls_ssl_set_mtu().

  • (2.13) Added support for the automatic adjustment of the MTU to a safe value during the handshake for when flights of messages are not received, as defined by (RFC 6347, section

  • (2.13) Added support for the packing of multiple records into a single datagram. This feature is enabled by default.

  • (2.13) Added support for buffering of out-of-order handshake messages in DTLS. The maximum amount of RAM used for this can be controlled by the compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING as defined in the configuration file.

API Changes

  • (2.13) Added the function mbedtls_ssl_set_datagram_packing() to configure the use of datagram packing. This feature is enabled by default.


  • (2.13, 2.7, 2.1) Fixed a potential memory leak in mbedtls_ssl_setup() function. An allocation failure in the function could lead to other buffers being leaked.

  • (2.13, 2.7, 2.1) Fixed an issue with MBEDTLS_CHACHAPOLY_C which would not compile if MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined, and an issue with the wrong test dependencies for MBEDTLS_ARC4_C. #1890.

  • (2.13, 2.7, 2.1) Fixed a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. Fix contributed by Espressif Systems.

  • (2.13, 2.7, 2.1) ECC extensions are now only included if an ECC based ciphersuite is used. This improves compliance to (RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157.

  • (2.13, 2.7, 2.1) Fixed a potential use-after-free issue in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.

  • (2.13, 2.7, 2.1) Fixed a miscalculation of the maximum record expansion in mbedtls_ssl_get_record_expansion() when using the Chacha-Poly1305 ciphersuites or any CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913 and #1914.

  • (2.13, 2.7, 2.1) Fixed a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CA's (Certificate Authorities). This was due to an overly strict bounds check in parsing the CertificateRequest message, introduced in Mbed TLS 2.12.0. Fixes #1954.

  • (2.13, 2.7, 2.1) Fixed a memory leak and free without initialization in the pk_encrypt and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.

  • (2.13, 2.7, 2.1) Fixed undefined shifts with negative values in certificates parsing. Fixed by Catena Cyber, with credit for finding the issue to OSS-Fuzz.

  • (2.13) Replaced printf with mbedtls_printf() in the ARIA module. Found by TrinityTonic in #1908.

  • (2.13) Removed a redundant else statement. Raised by irwir. Fixes #1776.


  • (2.13, 2.7) Improved interworking with some alternative Mbed OS hardware accelerated CCM implementations by using CCM test vectors from RAM.

  • (2.13) Added support to preserve the timestamps of headers copied when doing a make install. Contributed by xueruini.

  • (2.13) Forward declaration of structs in the public interface are now possible. Contributed by Dawid Drozd. Fixes #1215 raised by randombit.

  • (2.13) Added support for buffering of out-of-order handshake messages. Original contribution by Bryce Kahle.

  • (2.13) Added warnings to the documentation of the HKDF module to reduce the risk of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand() functions. Fixes #1775. Reported by Brian J. Murray.

Who should update

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

End of life for Mbed TLS 2.1

Mbed TLS 2.1.0 was first shipped on 4th September 2015, and is nearing the end of its life. Mbed TLS 2.1 will not be supported after Autumn 2018. All users of Mbed TLS 2.1 are advised to upgrade to a later version of Mbed TLS wherever possible. The latest long-term support branch is Mbed TLS 2.7.

Download links

Get your copy here:


The hashes for files/mbedtls-2.13.0-apache.tgz are:

SHA-1: 6f52c687d7f925771b3c82346e126c1d2ef6e51f
SHA-256: 593b4e4d2e1629fc407ab4750d69fa309a0ddb66565dc3deb5b60eddbdeb06da

The hashes for files/mbedtls-2.13.0-gpl.tgz are:

SHA-1: c08ece280db88b765ae626254000bbe192f48bb2
SHA-256: a08ddf08aae55fc4f48fbc6281fcb08bc5c53ed53ffd15355ee0d75ec32b53ae

The hashes for files/mbedtls-2.7.6-apache.tgz are:

SHA-1: 8ca8825f2bdb97ed1ed9180d24485a609b55b8b2
SHA-256: 936237a1cfef20590575c60dbb577728e5dbd40f6d0eef8f92a93fba7bb6823a

The hashes for files/mbedtls-2.7.6-gpl.tgz are:

SHA-1: 85098a0c7740df396d3df44d6c8e089dc182e346
SHA-256: 8036f9e392ad5d43e982ebd9508e7a62264fa858e3418adb844752969e580abf

The hashes for files/mbedtls-2.1.15-apache.tgz are:

SHA-1: a455e4e7d17ec3a3696dfca7135bf22436017393
SHA-256: 3d1de330ddf5de1dfb9651a5ce1c2bb6478c4b97f2080844a92c15e7b5d3f4dd

The hashes for files/mbedtls-2.1.15-gpl.tgz are:

SHA-1: 4ae4b898284f310877e39d0b38b20f10c6dae8be
SHA-256: 6c74cc692f965d60a63e9d9fd42f389ade1cc00033410795048057019040a98f

Like this?




Last updated:
Sep 13, 2018


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.